If Microsoft Office not installed / Word not present, trojan starting additional svchost process and uses it for it's purposes (in both cases trojan maps malicious dll inside address space of victim processes).
Bot (file.ex_ in attach) is trying to contact _hxxp://netmegasite.net/source/bb.php (C&C link obfuscated) to get additional instructions.
Norton Safe Web report
It is getting additional commands looking like this:
(link obfuscated)[info]runurl:_hxxp://www.gynweb.de/forum/customavatars/2_u.e ... 0|backurls:[/info]
VirusTotal report for 2_u.exe
Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.
Original dropper VirusTotal result
Extracted malicious code to be injected inside svchost/winword VirusTotal result
All samples, including payload, attached.